Access official resources from Carbon Black experts
Version
Cb 5.0.0 or higher
Bit9 v 7.2.0 or higher
Issue
Unable to successfully uninstall the Carbon Black sensor from a Windows host.
Symptoms
After uninstall - Sensor.LOG
2015-04-14 08:24:41: Attempting self-uninstall...
2015-04-14 08:24:41: Entering self-uninstall...
2015-04-14 08:24:41: OpenService call on CarbonBlackK
2015-04-14 08:24:41: Querying service configuration
2015-04-14 08:24:41: Deleting file \??\C:\Windows\system32\drivers\cbk7.sys
2015-04-14 08:24:41: File Deleted Successfully
2015-04-14 08:24:41: Deleting Service
2015-04-14 08:24:41: Uninstall completed successfully
2015-04-14 08:24:41: Uninstalled core driver
2015-04-14 08:24:41: OpenService call on cbstream
2015-04-14 08:24:41: Querying service configuration
2015-04-14 08:24:41: Deleting file \??\C:\Windows\system32\drivers\cbstream.sys
2015-04-14 08:24:41: File Deleted Successfully
2015-04-14 08:24:41: Deleting Service
2015-04-14 08:24:41: Uninstall completed successfully
2015-04-14 08:24:41: Uninstalled Netmon driver
2015-04-14 08:24:41: Unable to launch uninstaller [hr=0x80070005]
2015-04-14 08:24:41: Notifying server of uninstall result - 1 [CoreDrv: 0x00000000
NetMonDrv: 0x00000000
Uninstaller: 0x80070005
]
2015-04-14 08:24:41: Notification of uninstall to server result [hr=0x00000000]
2015-04-14 08:24:41: Service uninstall attempt failed; hr=0x8000ffff
2015-04-14 08:24:41: File store is stopped
2015-04-14 08:24:41: Core Driver IO completed; disconnecting...
2015-04-14 08:24:41: File store is stopped
2015-04-14 08:24:41: Core Driver IO completed; disconnecting...
Another message that may be observed is:
Pid[07DC] Tid[0848] 2017-01-12 14:59:12 CbServer::_Synch : Upgrade attempt completed HrError[0xC0000005]
Cause
The cause is the Bit9 agent Carbon Black tamper protection updater. The Carbon Black directories are included in the tamper protection settings and that includes preventing the Carbon Black server from uninstalling a sensor.
Solution
Steps for Cb Protection 7.x
If the Cb Protection agent is connected and visible in the Console, open the Rules-> Software Rules-> Updaters tab. Locate and Disable the Windows 'Carbon Black Tamper Protection' Updater. This will globally disable the 'Carbon Black Tamper Protection' Updater.
Steps for Cb Protection 8.x
Starting with Cb Protection 8.0, the Cb Tamper Protection Updater was replaced with a Rapid Configuration. You'll find this in the console by going to Rules > Software Rules > Rapid Configs. Locate and disable the "Cb Response Tamper Protection" configuration in order to disable tamper for Cb Response sensors.
If the Cb Protection agent is not connected to the server, the following steps can be performed to manually disable the 'Carbon Black Tamper Protection' Updater:
1. Open Command prompt and run the following DASCLI commands
a) dascli password <CLI or GLOBAL password>
b) dascli kernelconfig CarbonBlackTamperProtection 0
2. Complete the Carbon Black sensor uninstall
3. dascli kernelconfig CarbonBlackTamperProtection 1
a) this turns the Bit9 agent CB tamper protection back on
Important Note(s)
Check Bit9 logs to make sure there are tamper protection events being generated for the Carbon Black uninstall agents.